Re: [UMP] Subsetting (was: [XHR2] AnonXMLHttpRequest())

On Mon, Apr 12, 2010 at 1:00 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> On Apr 12, 2010, at 10:33 AM, Tyler Close wrote:
>
>> On Mon, Apr 12, 2010 at 6:49 AM, Arthur Barstow <art.barstow@nokia.com>
>> wrote:
>>>
>>> Maciej, Tyler - thanks for continuing this discussion. I think it would
>>> be
>>> helpful to have consensus on what we mean by subsetting in this context.
>>> (Perhaps the agreed definition could be added to the CORS and UMP
>>> Comparison
>>> [1].)
>>
>> I've added a new section to the wiki page, "UMP as subset of CORS":
>>
>>
>> http://www.w3.org/Security/wiki/Comparison_of_CORS_and_UMP#UMP_as_subset_of_CORS
>>
>
> I do not think the set of subset criteria posted there matches what I
> proposed and what we've been discussing in this thread.

I intended criteria #3 to correspond to conditions A1+B2 in our last
email exchange, which covers an UMP API to CORS resource message
exchange. The last unnumbered criteria corresponds to conditions A2+B1
in our last email exchange, which covers a CORS API to UMP resource
message exchange. Criteria #1 and #2 correspond to the additional
safety aspects of condition C that you wanted explicitly stated.

What aspect of the subset criteria have I missed?

> Should I put some
> abbreviated form of my proposal in the wiki? I am not sure what the
> conventions are for editing this wiki page.
>
> I think the points you make on the wiki about cross-endangerment are good,
> but they are not really subset criteria, that's a property we want for any
> two Web platform features, and it could be achieved with a strategy of
> making things completely different instead of the subset strategy. They do
> represent relations that we should maintain however.

I included these because our last email exchange indicated to me that
you wanted them explicitly stated.

> I think even taken together, your set of subset conditions does guarantee
> that a CORS client implementation is automatically also a UMP client
> implementation. If we went that way, then we would have to consider whether
> there will ever be client implementors of UMP itself, or it will be
> impossible to fulfill CR exit criteria.

If there are implementers of CORS, then by definition, there are
implementers of UMP. I don't see anything in CR exit criteria that
requires implementers to swear not to also implement other
specifications.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html

Received on Monday, 12 April 2010 22:10:37 UTC